fix: Allow self-signed Root CA for SSO. Fixes #6793 (#6961)

Signed-off-by: Niclas Schnickmann <niclas.schnickmann@nextstep-services.de>
argoproj · Nov 17, 2021 · d9eafee · d9eafee
1 parent 7ab0ad4
commit d9eafee
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 6 deletions.
diff --git a/server/auth/sso/sso.go b/server/auth/sso/sso.go
@@ -5,6 +5,7 @@ import (
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"net/http"
@@ -75,6 +76,7 @@ type Config struct {
 	// customGroupClaimName will override the groups claim name
 	CustomGroupClaimName string `json:"customGroupClaimName,omitempty"`
 	UserInfoPath         string `json:"userInfoPath,omitempty"`
+	InsecureSkipVerify   bool   `json:"insecureSkipVerify,omitempty"`
 }
 
 func (c Config) GetSessionExpiry() time.Duration {
@@ -93,10 +95,13 @@ type providerInterface interface {
 	Verifier(config *oidc.Config) *oidc.IDTokenVerifier
 }
 
-type providerFactory func(ctx context.Context, issuer string) (providerInterface, error)
+type providerFactory func(ctx context.Context, issuer string, tlsConfig *tls.Config) (providerInterface, error)
 
-func providerFactoryOIDC(ctx context.Context, issuer string) (providerInterface, error) {
-	return oidc.NewProvider(ctx, issuer)
+func providerFactoryOIDC(ctx context.Context, issuer string, tlsConfig *tls.Config) (providerInterface, error) {
+	// Create http client used by oidc provider to allow modification of underlying TLSClientConfig
+	httpClient := &http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}}
+	oidcContext := oidc.ClientContext(ctx, httpClient)
+	return oidc.NewProvider(oidcContext, issuer)
 }
 
 func New(c Config, secretsIf corev1.SecretInterface, baseHRef string, secure bool) (Interface, error) {
@@ -131,7 +136,7 @@ func newSso(
 		providerCtx = oidc.InsecureIssuerURLContext(ctx, c.IssuerAlias)
 	}
 
-	provider, err := factory(providerCtx, c.Issuer)
+	provider, err := factory(providerCtx, c.Issuer, &tls.Config{InsecureSkipVerify: c.InsecureSkipVerify})
 	if err != nil {
 		return nil, err
 	}
@@ -188,7 +193,7 @@ func newSso(
 	if err != nil {
 		return nil, fmt.Errorf("failed to create JWT encrpytor: %w", err)
 	}
-	lf := log.Fields{"redirectUrl": config.RedirectURL, "issuer": c.Issuer, "issuerAlias": "DISABLED", "clientId": c.ClientID, "scopes": config.Scopes}
+	lf := log.Fields{"redirectUrl": config.RedirectURL, "issuer": c.Issuer, "issuerAlias": "DISABLED", "clientId": c.ClientID, "scopes": config.Scopes, "insecureSkipVerify": c.InsecureSkipVerify}
 	if c.IssuerAlias != "" {
 		lf["issuerAlias"] = c.IssuerAlias
 	}

diff --git a/server/auth/sso/sso_test.go b/server/auth/sso/sso_test.go
@@ -2,6 +2,7 @@ package sso
 
 import (
 	"context"
+	"crypto/tls"
 	"testing"
 	"time"
 
@@ -28,7 +29,7 @@ func (fakeOidcProvider) Verifier(config *oidc.Config) *oidc.IDTokenVerifier {
 	return nil
 }
 
-func fakeOidcFactory(ctx context.Context, issuer string) (providerInterface, error) {
+func fakeOidcFactory(ctx context.Context, issuer string, tlsConfig *tls.Config) (providerInterface, error) {
 	return fakeOidcProvider{ctx, issuer}, nil
 }